Skip to content

chore: ensure downloaded slim binary version matches server #211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: ethan/slim-over-dylib
Choose a base branch
from
Open

chore: ensure downloaded slim binary version matches server #211

wants to merge 1 commit into from

Conversation

ethanndickson
Copy link
Member

@ethanndickson ethanndickson commented Jul 31, 2025
edited
Loading

Relates to #201.

After we've validated the binary signature, we exec coder version --output=json to validate the version of the downloaded binary matches the server. This is done to prevent against downgrade attacks, and to match the checking we had on the dylib before.

Additionally, this PR also ensures the certificate used to sign the binary is part of an Apple-issued certificate chain.

I assumed we were checking this before (by default) but we weren't.
Though we weren't previously checking it, we were only ever downloading and executing a dylib.
My understanding is that macOS won't execute a dylib unless the executing process and the dylib were signed by the same Apple developer team (at least in a sandboxed process, as is the Network Extension).

Only now, when posix_spawning the slim binary from an unsandboxed LaunchDaemon, is this check absolutely necessary.

@ethanndickson ethanndickson mentioned this pull request Jul 31, 2025
Open
@ethanndickson Graphite App
Copy link
Member Author

ethanndickson commented Jul 31, 2025
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ethanndickson ethanndickson marked this pull request as ready for review July 31, 2025 07:27
@matifali
Copy link
Member

Not directly related but @jdomeracki-coder should we also implement binary verification in Coderd Desktop?

cc: @deansheather

@ethanndickson
Copy link
Member Author

ethanndickson commented Jul 31, 2025
edited
Loading

@matifali We already check the code signature for both mac and Windows, it was part of the RFC.
It's even more important for Coder Desktop because the process runs as root.

@ethanndickson ethanndickson self-assigned this Jul 31, 2025
@ethanndickson ethanndickson force-pushed the ethan/validate-slim-binary-version branch from 929c831 to 262c4d1 Compare July 31, 2025 08:07
deansheather
deansheather reviewed Jul 31, 2025
View reviewed changes
Coder-Desktop/VPNLib/Validate.swift

let version: String
do {
let versionOutput = try await Subprocess.data(for: [binaryPath.path, "version", "--output=json"])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any way to drop privileges for this subprocess? We are root after all...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deansheather deansheather deansheather left review comments

Assignees

@ethanndickson ethanndickson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ethanndickson @matifali @deansheather